Save Article

Navigating the Revised Green Book

Save Article

Implementation of the Government Accountability Office (GAO)’s 2014 revision to its Standards for Internal Control in the Federal Government, also known as the “Green Book,” offers many challenges and risks for CFOs, but it offers opportunities, too. Full implementation of the revised Green Book allows CFOs to take a fresh look at their risk and control measures to help identify efficiencies, reduce redundant controls and simultaneously make large strides in reducing risk exposure, especially in regard to fraud risks.

What Has Changed?

While the revision’s internal control components (i.e., control environment, risk assessment, control activities, information and communication, and monitoring activities) are largely the same as those in the 1999 Standards, the revised Green Book requires entities to demonstrate and assess whether 17 principles are functioning in determining whether their system of internal control is effective. This is critical because now the Inspector General, independent auditors, and other related oversight groups will evaluate an agency’s entire system of internal control, not just specific activities or transactions which typically occurred in the past.

This could create significant challenges to some agency CFOs to include setting back their auditability goals or introducing new material weaknesses in their agency audit reports. If CFOs properly implement the changes to adopt the Green Book standards, these potential challenges should be considered short-term impediments.

Further, as noted in the Green Book, the 17 principles are supported by attributes, which are critical in demonstrating that the respective principle is in place. These changes will require CFOs to place more scrutiny over their entity level controls as deficiencies in this area can affect the control exception evaluation and reporting process, potentially resulting in new material weaknesses that require remediation. In addition, the revised Green Book now places an even larger emphasis on the risk assessment process, both financial and operational. For example, the Standards now require agencies to take a closer look at fraud risks (principle 8 ) and identify fraud risk factors and programs with increased susceptibility for fraud.

Additionally, the Green Book considers implications for Federal entities that are consolidating operations for efficiency via shared service operating models. As such, the new Standards spell out management’s responsibility to understand the shared service provider’s internal controls and how these internal controls impact the entity’s system of internal control (i.e., the service provider and the complementary user entity controls).

Finally, the Standards now set minimum documentation requirements to substantiate the effective design, implementation and operating effectiveness of an agency’s system of internal control. If management identifies deficiencies in meeting these minimum requirements, it must consider these deficiencies to help determine if the agency has successfully implemented the underlying internal control principle.

Implementation Opportunities

While at first glance this may appear to be another compliance burden on already constrained federal resources, this represents an opportunity for federal CFOs to reevaluate their agency’s control and compliance programs to not only validate the effectiveness of their system of internal controls against their risk profiles, but to also more proactively manage the continual changes in laws, regulations and related requirements that affect agencies’ control environments, laying the foundation for broader risk management programs and techniques.

To truly unlock the value that can be achieved through adoption of the revised Green Book, CFOs can consider using the Green Book as a catalyst to evaluate how organizational risks are assessed in light of the agency’s size, complexity, global reach, and risk appetite; identify gaps in current control and compliance strategies; close these noted gaps; and further expand this approach from managing financial reporting risk to include operations and compliance risks.

Implementation Risks

One of greatest risks to Green Book implementation rests with the increased focus on demonstrating effective design and operating effectiveness over entity level controls. Fourteen of the 17 principles in the Green Book address entity level control considerations and, as a result, are significantly more difficult for agencies to assess, measure and quantify.

Combined with the emphasis on supporting control assertions with documentation, this represents an area in which agencies may falter in their implementation. To demonstrate full implementation and compliance, agencies will need complete and comprehensive document support for management’s evaluation process. Unfortunately, there are few federal benchmarks available to management, which may cause uncertainty in meeting full adoption requirements. While mature agencies have established internal control programs, the changes to the Green Book, combined with changes in business and mission requirements, may put even established and mature programs at risk. The bottom line: ‘business as usual” will likely not meet the mark with regard to the revised Green Book Standards.

To help address some of these implementation risks, CFOs can consider documenting an inventory of evidential matter and related items that can help substantiate evidence of the effective design and operating effectiveness of the entity level controls across the Green Book’s 17 principles. For example, principle 1 of the Green Book requires agencies to demonstrate a commitment to integrity and ethical values. To demonstrate that principle 1 is met, agencies could inventory and routinely review their policies that support ethics such as anti-fraud policy. It should also inventory the evidence of points of contact to report unethical behavior, such as management contacts and the Inspector General (IG) hotlines.

Green Book Principles Critical to Control and Compliance Programs

As agencies continue defining and refining their control and compliance programs around the revised Standards, CFOs can consider the following Green Book principles, which are critical to an agency’s system of internal control:

—Assessing Fraud Risk (Principle 8 )

As agencies evolve and change, their ethics programs may become stale or inadequate while compliance with them may become a “check-the-box” exercise. Moreover, while many agencies have established ethics programs, they do not always address the relevant types of fraud and may not consider the ways that fraudulent activities could occur. Many agencies do not periodically reevaluate fraud risk as significant changes occur within the agency or its external environment. Often times this is a result of agency management not adequately briefing senior stakeholders on fraud risk areas, or senior stakeholders not challenging management’s assessment of fraud risk.

To effectively demonstrate compliance, CFOs can consider reviewing and updating their risk assessment at least annually. The relevant fraud risks should be discussed, reviewed and revised as necessary with input from key functional and component management. For high risk areas, CFOs should consider the potential need to include outside fraud experts. Finally, it is important that agencies select well designed and implemented controls to mitigate identified inherent fraud risks.

Change creates risk, and CFOs can implement processes that enable identification and evaluation of changes affecting their agencies on a timely basis. All too often, agency risk assessment processes become routine and are typically rolled over from year to year with little consideration for changes in business operations. Not only does this expose an agency to significant financial and operational risks, it also makes it difficult for agencies to demonstrate their compliance with Principle 9.

CFOs can focus on completing comprehensive risk assessments on an annual basis to help compliance with the revised Standards and execute federal programs with the appropriate level of oversight and demonstrated stewardship, Moreover, agencies will need a repeatable and consistent framework for assessing risks and incorporating new and evolving risks related to changes in agency operations. As agency operations change, it is up to management to demonstrate that it understands the impact to its risk profile and to implement new or adapt existing controls to manage risk exposure.

—Outsourced Service Providers (Multiple Principles)

Given the significant increase in outsourcing relationships for information, business processes, and IT, internal controls related to shared service providers have become critical. While most agencies have processes in place for evaluating Statement on Standards for Attestation Engagements No. 16 (SSAE 16) reports obtained from service organizations, most user organizations have not integrated service provider activities into their agency’s system of internal control (i.e., assessing service provider activity across all five components on internal control).

In addition, agencies may rely too heavily on service provider controls and not establish effective user-side controls to manage risk. For example, agencies may record significant journal entries based on reports received from service providers without adequately reviewing these reports and their contents for accuracy and reasonableness. It is important for CFOs to establish robust monitoring controls over shared services. Without such controls, there could be unfortunate surprises late in the year, when SSAE 16 reports are delivered, such as unexpected report qualifications.

While adopting the revised Green Book will likely pose some challenges in the short-term, the more robust requirements and control environment considerations will enable a more effective and efficient government that can more readily demonstrate its stewardship of tax payer dollars. As CFOs design their programs in response to the Green Book revisions, it is important to consider the intent and purpose behind each principle to unlock the full value as envisioned by GAO.

Related Deloitte Insights

Establishing and maintaining effective oversight of employee and organizational conduct have been challenging for a number of global financial services organizations, resulting in damage to reputation and shareholder value. John Taft, vice chairman of Baird, and Elia Alonso, Deloitte Risk and Financial Advisory principal with Deloitte & Touche LLP, discuss how management and the board can help close gaps to build a strong corporate culture and make strides toward better management of conduct risk.

From a regulatory perspective, the lines between fintech and traditional financial institutions are starting to blur, bringing greater regulatory expectations, along with potential penalties and legal actions for noncompliance. Regardless of whether fintech companies decide to become a bank chartered institution, they can increase their potential for success by having solid risk management controls in place. That differentiation might open doors to market share and revenue growth, as well as provide a level of comfort to a variety of stakeholders.

A new regulation set to take effect May 25 adds unprecedented urgency to organizations' data protection imperative. The General Data Protection Regulation will affect virtually any company in any sector around the world that processes the personal data of EU residents. Further, the penalties for noncompliance are daunting, reaching as high as 4% of global revenue or 20 million euros, whichever is greater. Learn the six areas that will likely require significant attention as executives get their organizations prepared.

Views & Analysis

Culture is often an overlooked foundation of an organization’s strategy and performance. Yet today diagnostic tools, cognitive analytics, risk sensing and other technologies can provide organizations insights into day-to-day risk factors embedded within their cultures. Carey Oven, Deloitte Risk and Financial Advisory partner, Deloitte & Touche LLP, discusses the challenges organizations face in improving their culture risk profile and ways they can help protect their culture and monitor risks that could damage it.

Recent corporate scandals linked to problematic company cultures have led directors to look for ways to better monitor corporate culture, while trying to understand potential risks and address problems before they become a significant challenge. By treating culture risk as part of an integrated process of oversight that addresses strategy, performance, and risk—and taking a proactive and persistent approach—boards can improve their oversight of culture risk. Learn some general approaches to culture risk oversight that management and boards alike should consider.

Traditionally, internal audit (IA) has focused on providing assurance with respect to known risks and the effectiveness of controls in mitigating those risks. Regulators, however, are increasingly interested in an organization’s ability to identify blind spots and other vulnerabilities that may undermine the integrity of the risk management environment, including the risk of misconduct. IA functions can play a pivotal role by substantively testing culture and identifying potential risk-related outliers that may not be visible via other means, such as supervisory frameworks, escalations, compliance assessment and testing, and previous audits.

Editor's Choice

Robert Hull, chairman of the board of SPX FLOW and a director at Bojangles’ Inc., draws on a deep background in finance and operations for his current governance roles. The former CFO of Lowe’s Companies discusses how his finance career prepared him for a board role, and offers suggestions for what finance chiefs seeking to serve on a board can do to prepare. He also talks about the board’s role in risk management and strategy oversight.

New training models are providing organizations tools to measure, monitor, and address ethical and unethical behaviors. However, ethics training still has far to go to be effective, according to both Christopher Adkins, executive director of the Notre Dame Deloitte Center for Ethical Leadership, and Maureen Mohlenkamp, Deloitte Risk and Financial Advisory principal, Deloitte & Touche LLP. They discuss ways to strengthen ethics programs, advances in whistleblower helplines and how technology is impacting ethics training.

Digital risks are becoming a rising concern for the C-suite and boards, as industries continue to converge and companies adopt new business models to compete. Understand what steps can be deployed to address the strategic risks that come with today’s digital technologies in this conversation with William Ribaudo, managing partner of Deloitte Risk and Financial Advisory’s Digital Risk Venture Portfolio, Deloitte & Touche LLP. Also, learn why organizations should reassess their business models to understand their digital maturity.

About Deloitte Insights

Deloitte’s Insights for C-suite executives and board members provide information and resources to help address the challenges of managing risk for both value creation and protection, as well as increasing compliance requirements.